Wen Ting is preparing to use the IBM® Encryption
Facility for z/OS® to encrypt
some of her own data sets and to recover encrypted data sent to her
by Yun, a business partner. She wants to create a new certificate
with a 2048-bit RSA public/private key pair called
Wen Ting's
certificate. IBM Encryption
Facility requires a PKDS label so she allows RACF® to create a default PKDS label.
- Wen Ting creates her certificate using the RACDCERT GENCERT command:
RACDCERT GENCERT SUBJECTSDN(CN('Wen Ting''s certificate'))
WITHLABEL('Wen Ting''s certificate') SIZE(2048) PKDS
NOTAFTER(DATE(2020/08/10))
- She lists the certificate to see the PKDS label generated by RACF. Here is her RACDCERT LIST
command and her output:
RACDCERT LIST(LABEL('Wen Ting''s certificate'))
Digital certificate information for user WENTING:
Label: Wen Ting's certificate
Certificate ID: 2QfHxdbZx8XUaqweQMOFmaNA46iXhUBgQOKFmUB7QPDw
Status: TRUST
Start Date: 2005/08/11 00:00:00
End Date: 2020/08/10 23:59:59
Serial Number:
>00<
Issuer's Name:
>CN=Wen Ting's certificate<
Subject's Name:
>CN=Wen Ting's certificate<
Signing Algorithm: sha256RSA
Key Type: RSA
Key Size: 2048
Private Key: YES
Key Type: RSA
Key Size: 2048
Private Key: YES
PKDS Label: IRR.
PKDS Label: IRR.DIGTCERT.WENTING.SY1.BD7103108611F42F
Ring Associations:
*** No rings associated ***
- Wen Ting needs to send her new certificate to Yun so that he can
send her his encrypted data. Before doing this, she exports the certificate
using this RACDCERT EXPORT command:
RACDCERT EXPORT(LABEL('Wen Ting''s certificate')) DSN(FOR.YUN.CRT)
- She sends the exported certificate to Yun using email or FTP.
(RACF is not involved with
this step.) The exported certificate does not contain the private
key so the data set that she transmits need not
be protected in any way.
- When Yun receives the file, he adds it to his company's RACF database as
a site certificate using the RACDCERT ADD command and calls it WenTing.
To use the IBM Encryption Facility,
he also needs the public key for this certificate stored in the ICSF
PKDS.
Yun chooses to add the certificate from Wen Ting as a site
certificate on his system (using the SITE operand). The SITE designation
is most appropriate for this certificate because it will not be used
as a CA certificate (so CERTAUTH is not correct) and because Wen Ting
is not a user on his system (so USER is not required).
Here
is Yun's RACDCERT ADD command:
RACDCERT SITE ADD(WENTING.CRT) WITHLABEL('WenTing') ICSF(*)
- Yun lists the new certificate to see the PKDS label. Here is his
RACDCERT LIST command and his output:
RACDCERT SITE LIST(LABEL('WenTing'))
Digital certificate information for SITE:
Label: WenTing
Certificate ID: egljcv8XUaqweQMOFmaNA46iXhUBgQOKFmUB7QPDw
Status: TRUST
Start Date: 2005/08/11 00:00:00
End Date: 2020/08/10 23:59:59
Serial Number:
>00<
Issuer's Name:
>CN=Wen Ting's certificate<
Subject's Name:
>CN=Wen Ting's certificate<
Signing Algorithm: sha256RSA
Key Type: RSA
Key Size: 2048
Private Key: No
PKDS Label: WENTING
Compare Wen Ting and Yun's output listings. They now share the
same certificate and can begin exchanging encrypted information.
z/OS Security Server RACF Security Administrator's Guide
Copyright IBM Corporation 1990, 2014